How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities

Volexity details how memory forensics enabled them to reconstruct an active exploitation chain of two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, revealing memory-only POST payloads, base64-encoded commands, attacker-controlled SSH connect-back shells running as root, and evidence that attackers modified the device's Integrity Checking Tool to evade detection; the report emphasizes rapid memory acquisition and automated IOCs to detect and investigate compromises.